Storing BitLocker recovery information in Active Directory

Windows Vista’s new BitLocker encryption technology is a two-edged sword. On the one hand, it offers excellent protection because it encrypts the entire OS volume with AES-256. On the other hand, if you lose the volume master key (VMK), you’re screwed– there’s no way for you to unlock and recover data from the volume.

To make this less of a danger, Microsoft allows you to create a recovery password that you can use to decrypt the disk. More precisely, the technical overview says:

In BitLocker, recovery consists of decrypting a copy of the volume master key blob that has been encrypted with a recovery key stored on a pluggable USB flash drive or with a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is possible if the TPM fails boot component validation, malfunctions, or disappears.

However, you still have to be very, very careful not to lose the recovery password! Vista includes the ability to back up the recovery password to Active Directory, but Microsoft hasn’t released the public details of exactly how to do this… until today, that is. The new BitLocker AD Guide describes how to enable AD backup of BitLocker recovery information (including the TPM owner password and the BitLocker recovery password for each protected volume).

You’ll need to extend your AD schema to enable this recovery mode. Don’t use the schema extension files on the Vista product DVD to do this. They don’t contain the correct schema properties. Instead, use the schema extension included with the AD Guide itself.


Comments Off on Storing BitLocker recovery information in Active Directory

Filed under Security

Comments are closed.